More than half a million people who paid to spy on others have now had their own information exposed.
A hacktivist going by the name “wikkid” scraped roughly 536,000 payment records from a stalkerware operation tied to a Ukrainian software company, Struktura, according to a TechCrunch investigation. The data includes customer email addresses, payment amounts, card types, and the last four digits of credit cards used to buy phone surveillance tools from the company.
Struktura operates behind the U.K.-facing brand Ersten Group and runs several stalkerware products such as uMobix, Xnspy, Geofinder, and an Instagram monitoring service called Peekviewer, all designed to secretly track phones and social media accounts.
The hacktivist said the data was pulled by exploiting what they described as a “trivial” bug on the company’s website, and that no advanced intrusion was needed. The flaw reportedly allowed large portions of the customer database to be scraped directly.
The Fallout
The exposed dataset shows years of transactions from people who paid to monitor partners, spouses, and family members. While the leak does not include full card numbers or transaction dates, it reveals enough information to identify customers and link them to specific surveillance tools.
This is not the first time stalkerware companies have been exposed for weak security. Over the past several years, similar apps have leaked victim data, location histories, messages, and photos from phones that were secretly monitored. Xnspy, one of the apps involved in this latest breach, suffered a major data exposure in 2022.
Stalkerware typically works by being installed without a user’s knowledge, then quietly uploading calls, texts, GPS locations, and other private data to remote servers. Marketing materials often frame the tools as ways to “monitor loved ones,” but legal experts have repeatedly warned that using them can violate wiretapping and privacy laws.
Struktura operates out of Ukraine but presents its business through Ersten Group, which describes itself as a British software company. The two reportedly share infrastructure and websites. The earliest transaction in the leaked data appears to be a small test payment linked to the company’s chief executive.
The breach highlights a familiar contradiction in the surveillance-for-hire industry. Companies that sell tools designed to secretly watch others often fail to protect even their own systems. In this case, the people paying for secrecy ended up exposing themselves.
For those targeted by stalkerware, the leak does little to help identify compromised phones. The apps remain difficult to detect and are designed to stay hidden. What it does show is the scale of the market. More than half a million payment records point to a large, active customer base, despite years of warnings, lawsuits, and security failures.
This time, the surveillance went the other way.
Sources: TechCrunch, The Tech Buzz